SignsrchĪnother tool worth mentioning in this context is Signsrch by Luigi Auriemma. After all, extracting data from running processes isn't a static malware analysis technique. A process might reveal strings that aren't visible inside a file until the program runs. Sure, you could do this using GUI tools such as Process Explorer and Process Hacker, but sometimes it's convenient to be able to get this information from the command prompt. What makes strings2 quite unique is its ability to extract strings from a running process. One of the nice features of strings2 is its ability to extract ASCII and Unicode-encoded strings in one step. In many ways, it's similar to traditional string-extracting utilities that you're familiar with. ![]() Strings2Īnother handy command-line tool for examining static properties of files is strings2 by Geoff McDonald. It really shines when analyzing images, but it can also extract some data from Windows executables, as you can see below. For instance, ExifTool Phil Harvey can extract various meta data embedded into files. Moreover, it's generally a good idea to include in your toolkit multiple tools that perform similar functions. ExifToolĪs convenient as PE Studio and peframe are, sometimes it's nice to have command-line tools designed for one specific job. It runs well on Windows, as long as you install the Python runtime. Peframe can compute hashes, extract PE header details, identify common packers, detect suspicious API calls, etc. Peframe by Gianni Amato is a command-line tool that can automatically extract static file properties, displaying some of the information you can explore interactively with PE Studio. Such details can be easily faked, but at times they can be used as potential IOCs. PE Studio also shows "meta" information that could be embedded into the file to describe its author and version. PE Studio can also query VirusTotal for information it might contain that matches the hash of the file you're examining, if your lab system is connected to the Internet. These indicators include "blacklisted" strings and API calls, as shown below. Perhaps most usefully, PE Studio automatically flags aspects of the file that could indicate that is is malicious, as you can see below. This way, if the attacker changes a portion of the file, hash values of one or more sections might still match as an IOC. For this reason, it's useful to note hash values of the sections that comprise the malicious program. Hash values could be used as indicators of compromise (IOCs), but malware authors can easily tweak the specimen to change the file's hash. ![]() You many of these details through other means however, it's very convenient to capture this information on one shot.įor instance, PE Studio not only shows the names and other properties of the PE file's sections, it also automatically computes each section's MD5 hash. PE Studio by Marc Ochsenmeier is a GUI tool for statically examining many aspects of a suspicious Windows executable file, such as imported and exported function names and strings. Let's take a look at a few static analysis utilities that run on Windows. ![]() Also, my webcast on getting started with malware analysis using REMnux showed several other Unix-based tools useful for this work. In an earlier post I discussed how to extract static property details a Linux environment by using MASTIFF. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Immediately apply the skills and techniques learned in SANS courses, ranges, and summitsĮxamining static properties of suspicious files is a good starting point for malware analysis.
0 Comments
Leave a Reply. |